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Authentication mechanism selection 



Where it began 
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Thales 
Watchword II 



One time password 

AND 

Signature Mode 
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.... specialised tokens were issued to a select few 
for securing high value transactions 



Threats were relatively unsophisticated and not systemic 



Total cost of tokens and issuance was not an issue 



Tokens were fit for purpose 
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... and the world has changed 



Business flexibility is more critical 



• New transaction types and electronic delivery channels for all market segments 

• Increased focus on self service for all market segments 



Risk landscape is more hostile 




• Explosion in Internet based transaction banking increases the target for 
attackers 

• Attacks are diverse and prolific and increasingly sophisticated 



Users are more demanding 




• Usability is a key differentiator in e-service delivery 
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... but the sad state is that many banks continue 
to deploy old world responses to modern threats 
to transaction security. 

... it's the way it has always been done 
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Specialised token usage 



Transfer Money - Confirm Details 



From account: 

Your transaction description: 



To Account: 

To account descriptor 



When: 

Transfer now 



StreamLine 1613631 
Loan Repayment 



John Smith 612351516 
Payment 



5/16/2012 1:54:29 PM 




Confirm the transaction details above and enter the three 
fields into your token to generate a one time password. Then 
enter your one time password into the fields below. 



One Time Password: 



Confirm | Modify | Cancel | 
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... I expect that you can see 

some problems here 



Copyright Salt Group 2012 




The pillars of online service delivery 



Usability ( Security Availability 
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and the main trouble with specialised tokens is - 
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Bank Risk 




End User 
Usability 




Process \s tedious 
and time consuming 



Process introduces 
errors 



Banks cannot 
get the balance 



Need to increase 

their optimal 

exposure levels to 

appease their users 
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.... specialised tokens are a solution past 



Bad user experience with input of 

around 24 characters required for 

typical payment 



• User complaints affect authentication value threshold 



Costly and cumbersome to deploy and 
manage 



► Churn rate very high in retail environment 

» Significant lag time between registration and fulfillment 



Token configuration is static 



•Typically four "fields" (6-8 characters length) plus PIN 
» Inflexible for new transaction signature definition 



Subject to malware social engineering 

attacks in the creation of the "field 

values" to be entered 



» Tokens often require "real field" truncation to conveniently 
input into token (eg account number) 



Token signature does not include 
transaction context 
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» Arguable value in dispute situation and may not include all 
critical transaction data due to truncation 
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mSign 



An authentication model that addresses 
today's needs 



High assurance 
transaction signing 

• Brandable 
•PIN Protected 



L 



Supports "What you See is 
What you Sign" Workflow 







SALT GRDUP I 



From: 
Slrpaml nn l<=,1lrtf ! 



Recipient: 
..'fill ■.fliil.l 1 612351516 



S300.OGIO.IM 

Signature: 3644-4095 
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SALT mSign for Transaction Signing 



use case 




PAYMENT 




APNs 
Service 




^GSM^ 




SMS Gateway 








\ 




Appte PUSH 


' Txn Summary 












Blackberry PUSH 












Android PUSH 






SALT PUSH 
GATEWAY 




Transaction Summary 

for Transaction 

Authentication 



Verify Autocode 
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mSign - addressing bank and user needs 



No more annoying 

need for user entry 

of transaction data 

into a token 



» Transaction summary sent to the handset over the air 
» Intuitive user interface; the user "views" and "approves" 
» Eliminates user keying errors 

» Faster and less error prone than security token "signature" mode 
use 



Free format 

"authentication 

data" frees up your 

security model 



• Authentication fields / transaction summary determined by the host 
application; no set format 

» Easy introduction of new transaction types - no impact on token 

• Context is included in the signature for improved non repudiation 

• Optional policy based inclusion of supplementary data input 



Copyright Salt Group 2012 




Addressing Man in the Browser Attacks with Salt 
mSign Mobile Authentication 




The Attack 



Man in the Browser attacks modify a user's 
transaction prior to submission to the bank, 
typically by changing the beneficiary account, at 
least. 



Traditional 

Bank 
Responses 



• SMS sent to the user for transaction validation. 

• Specialised security tokens deployed to enable 
out of band transaction signature generation. 
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The problems with SMS 



Mobile Number Porting 




Nobody reads the transaction summaries ! ! 

• Banks globally say that SMS delivered transaction summaries are 
not read properly 

• Beneficiary account number changes by malware go undetected 

• Man in the Browser Malware developers know this and are not 
deterred from targeting banks that use SMS out of band transaction 
summary based authentication. 
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mSign addresses both these threats 



k 



PUSH Message is not subject 
to mobile number porting 

• PUSH is PKI scheme protected 

• PUSH is to a device, not a mobile 
number 



F 
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... critical authentication data is (optionally) 
confirmed by the user to avoid undetected 
malware attacks 



Partial 

transaction 

summary 

displayed 



l 



Supplementary information 
requested 

• Determined by centralised policy 
based on risk 

• User forced to refer to original 
documentation 



r 
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... the entire displayed transaction summary is 
protected by the Signature 



l 



Any input data 
inconsistency alerted to 
the bank 



• Central response 



What you see is 
what you have 

_ ; _l 



• Includes context 

• Incorporates user input 
data 



r 




From: 
SlrpamL nn l«1Sfi;ii 



Recipient: 
..'nnriSmnhfilMSlSHi 



S30Q.OQ0-M 

Signature: 3644-4095 
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.... specialised tokens are a solution past 



Bad user experience with input of 

around 24 characters required for 

typical payment 



• User complaints affect authentication value threshold 




Costly and cumbersome to deploy and 
manage 



• Churn rate very high in retail environment 

» Significant lag time between registration and fulfillment 



Token configuration is static 



►Typically four "fields" (6-8 characters length) 

» Inflexible for new transaction signature definition 



Subject to malware social engineering 

attacks in the creation of the "field 

values" to be entered 



► Tokens often require "real field" truncation to conveniently 
input into token (eg account number) 



Token signature does not include 
transaction context 



•Arguable value in dispute situation and may not include all 
critical transaction data due to truncation 
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mSign fully addresses the weaknesses of 
specialised security tokens 




Bad user experience with input of 

up to 20 characters required for 

typical payment 



Costly and cumbersome to deploy 
and manage 



•Signature data is received over the air with mSign 

•Zero or limited supplementary info required to be input with mSign 



•Over the air deployment and activation 
•Closed loop provisioning enables token usage within the 
same session 





Token configuration is static 



Subject to malware social 

engineering attacks in the creation 

of the field values to be enterer 1 



•Signature data is unstructured with mSign 

•New transactions commissioning has no impact on mSign 



•Not applicable in mSign. Signature data is received from 
the bank via the independent PUSH channel 





Token signature does not include 
transaction context 
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•Full context is signed with mSign 
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1992 2012 

ill 




The odd man out is 



Something to 
ponder on your 
journey home 

Have a safe trip and thankyou 
for your attention 
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www.saltgroup.com.au 
roakley@saltgroup.com.au 



Visit Salt Group 
with Thales 
eSecuritv on Stand 
66 to se 



mSign 
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